IRB Guidelines

Section XIII: Internet Research

Internet data collection via email, list servs, electronic bulletin boards and web surveys falls under the purview of the Institutional Review Board.

The Internet is an insecure medium as data in transit is vulnerable. So, internet data collection is rarely private, anonymous, or even confidential. The potential source of risk is harm resulting from a breach of confidentiality. This risk is accentuated if the research involves data that places subjects at risk of criminal or civil liability or could damage their financial standing, employability, insurability, reputation or could be stigmatizing.

The following procedures are required for Internet research:

A. IRB Application:

1. Section O: To post a survey on a listserv, obtain permission from the listserv manager or "list owner" as well as "community consent." A posting to a UGA listserv must follow all the UGA policies regarding SPAM. To observe a chat room, obtain authorization from the chat room manager. No lurking or deception, like pretending to be a member!
2. Sections H and S: State the procedures to be employed to authenticate that the participants are adults. State plans to use a secure server (SSL 2 or S-HTTP 3). Stripping identifiers from data, storing identifiers and data in separate files, auditing the security of data directories should be routine procedures.
3. Section M: Request an IRB waiver to document informed consent.

B. Consent Document:

• An Internet consent document should be written like a cover letter and should include all the elements of the regular signed consent, including the confidentiality disclaimer given below. The consent line should say, "By completing the survey you are agreeing to participate in the research." For web based surveys, add a click through button.
• Include the following confidentiality disclaimer in the consent document: "There is a limit to the confidentiality that can be guaranteed due to the technology itself." While the researcher may ensure the confidentiality of a participant by utilizing standard procedures (pseudonyms, etc.) when the researcher writes up the final research product, the researcher cannot ensure confidentiality during the actual Internet communication procedure.
• For a chat room that is not open to the public, inform participants that an "observation" is taking place, and that any information exchanged may be used for research purposes.
• Provide an alternative means of filling out the survey. For example, allow the participant to complete it and send it via snail mail to the researcher. Ensure that the researcher's contact information is prominently displayed on both the cover letter and the survey instrument to avoid having the survey misdirected to the IRB.
• Online consent may not be suitable for high-risk studies.

C. Survey:

1. The instrument should be formatted in a way that will allow participants to skip questions if they wish to or provide a response like "I choose not to answer."
2. At the end of the survey, there should be two buttons: one to allow participants to discard the data and the other to submit it for inclusion in the study

D. Tips:

1. Consider using gift certificates from online retailers and displaying the unique certificate redemption number to respondents at the completion of a questionnaire. This allows participants to receive an incentive without revealing their identity.
2. The level of security should be appropriate to the risk. For most research, standard security measures like encryption and secure socket layer (SSL) will suffice. However, with sensitive topics additional protections include certified digital signatures for informed consent, encryption of data transmission, technical separation of identifiers and data, and strong verification of assent.
3. Researchers working with children online are subjects to Children's Online Privacy Protection Act (COPPA) in addition to the human subjects regulations. Researchers are prohibited from collecting personal information from a child without posting notices about how the information will be used and without getting verifiable parental consent.
4. Screen out minors by checking for Internet Monitoring software like SafeSurf and RSACi ratings or using Adult Check systems.
5. Research that places human subjects at greater risk may not be appropriate for the Internet.

E. References:

Kraut, R. et al 2004 Psychological Research Online: Report of Board of Scientific Affairs Advisory Group on the Conduct of Research on the Internet. American Psychologist February/March 2004.

1. Every computer connected to the Internet has a unique identifier called an IP (Internet Protocol) address. On many networks, the IP address of a computer is always the same, i.e., fixed or static. On other networks, a random IP address is assigned each time a computer connects to the network, i.e., dynamic. Knowing a fixed IP address is tantamount to knowing the identity of its users.
2. SSL: Secure Sockets Layer is a protocol developed by Netscape for transmitting private documents via the Internet . SSL works by using a public key to encrypt data that's transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https: instead of http.
3. Another protocol for transmitting data securely over the World Wide Web is Secure HTTP (S-HTTP) . Whereas SSL creates a secure connection between a client and a server, over which any amount of data can be sent securely, S-HTTP is designed to transmit individual messages securely. SSL and S-HTTP, therefore, can be seen as complementary rather than competing technologies. Both protocols have been approved by the Internet Engineering Task Force (IETF) as a standard.